Soltec, as a data controller, collects and processes a certain amount of natural persons data.
Such data may refer to employees, managers, clients, suppliers, counterparties, business contacts and other natural persons in contact with the Controller or with whom the latter is planning to establish business contacts.
This data protection policy regulates the methods of collection, processing and storage of personal data in compliance with the standards established by the Controller’s organization and legal requirements.
I. Legal grounds
This Data Protection Policy (“Policy”) is issued on the grounds of the Data Protection Act and its regulations in their updated form, (“Bulgarian law”), and the General Data Protection Regulation (EU) 2016/679 ("GDPR").
Bulgarian law and GDPR stipilate rules on the way organizations, incl. Soltec, shall collect, process and store personal data. These rules shall be applied by the Controller irrespective of whether the data are processed electronically, on hard copy or on other media.
To ensure that data processing is in compliance with legal requirements, personal data are collected and used on the relevant grounds, safely stored and the Controller undertakes all necessary measures to prevent unlawful disclosure of processed personal data.
The Controller is aware of the principles set out in GDPR and acts in compliance with them:
- Personal data are processed lawfully, conscientiously and transparently;
- Personal data are collected for specific, explicitly stated and legitimate purposes and are not further processed in a way inconsistent with these purposes;
- Personal data are appropriate, relevant and limited to what is necessary for the purposes of processing;
- Personal data are accurate and regularly updated, if necessary;
- Personal data are stored in a form allowing the identification of the persons concerned for a period no longer than what is necessary for the purposes of data processing;
- Personal data are processed in a way ensuring an appropriate level of data security, including protection against unauthorized or illegal processing or against accidental loss, destruction or damage, with the application of appropriate technical or organization measures.
II. Purposes of this Policy
This Policy ensures that the Controller shall:
- Act in compliance with applicable personal data law and follow established good practices;
- Establish mechanisms of keeping, maintenance and protection of data registers;
- Determine the obligations of officers processing personal data and/or the persons having access to personal data and reporting to data processors, and their liability in case of failure to comply with these obligations;
- Protect the rights of staff, clients and partners;
- Ensure transparency of the methods of storage and protection of personal data of natural persons;
- Establish the necessary technical and organizational measures for protection of personal data from unauthorized processing (accidental or illegal destruction, accidental loss, unauthorized access, change or disclosure as well as any other illegal form of data processing);
- Be protected from risks of data breach.
This Policy shall apply for processing the data of counterparties, suppliers, clients and partners as listed in electronic registers created in compliance with this Policy, Bulgarian law and art. 30 of GDPR (“Records of processing activities”).
IV. Collection of personal data
Categories of data and subjects
“Personal data” means any information relating to an identified or identifiable natural person or natural person who can be identified (“Data subject”), as follows:
The Controller collects data for the following categories of subjects:
- Persons representing the companies with which the Controller has or plans to have business relations;
- Contact persons in the companies with which the Controller has business relations;
- Persons who are interested in receiving information services – newsletters, guides, etc.;
- Persons registering to use online stores.
Purposes of data collection
The Controller collects personal data for the following purposes:
1. To carry out activities of entering into, performance, change and termination of contracts, including for:
- Preparation of all types of documents;
- Contacting contact persons by phone, fax, email or in any other legal way;
- Delivery and/or acceptance of goods/services, communications for provision and/or receiving goods/services and for provision of the associated client services;
- Accounting for the performance of contracts to which the Controller is a party;
- Processing of payments under the contracts entered into by the Controller;
- Sending important information to the subjects on the change of rules, conditions and policies of the Controller and/or other administrative information;
2. For marketing purposes – after receiving the explicit consent of data subjects;
3. For statistical purposes – after receiving the explicit consent of data subjects;
Collection of data
Data of counterparties (managers, representatives and/or contact persons of the legal person under commercial contracts)
Personal data of any subject are given voluntarily by that subject and such data are collected by the Controller in compliance with statutory obligations, for entering into contracts and/or performance of obligations under existing contracts pursuant to the provisions of the Commerce Act, Accounting Act, Obligations and Contracts Act, VAT Act, etc. and the conditions specified in commercial contracts with the relevant client on: hard copy – written documents (including powers of attorney contracts, notices of distraint, bank information, etc.), by email – given for the performance of commercial contracts and/or by completing a registration form. The subjects shall be notified of the provisions of this Policy beforehand or at the moment of receiving their data.
Processing of personal data while using our website
Data recorded when visiting our website and using our online services are as follows:
- Date of the visit,
- Browser type and operating system of the client device
- Viewed pages
Such data are collected for security purposes and for the optimization and improvement of our online services. It is in our legitimate interests to protect our website and improve our services. Any other processing of data, except for statistical purposes in anonymous form, shall be performed only within the scope of this data protection notice. In addition, personal data shall be stored only if you provide it voluntarily, e.g. in the context of registrations, polls, competitions, online application or contract performance. Adequate security measures have been taken to ensure data encryption during the registration process, i.e. their protection from unauthorized access. Additional information, particularly of the technology used, is presented below. If data are transmitted to third parties, we guarantee by contractual arrangements that such service providers process personal data in compliance with European data privacy law to guarantee a high level of protection. Personal data shared with us on our website are stored only for the purpose they have been given for.
Registration for electronic newsletter
If you wish, you may register to receive our electronic newsletter by completing the registration form on the home page of our website http://www.soltec.bg/). If you complete the form and you’re your personal data to us you agree to receive an electronic newsletter at the email address specified by you. The personal data collected with the registration form shall be processed only for the purposes of sending emails and only after you have given your consent for such processing. We use BenchmarkEmail to sent electronic newsletters. On opening, a code is used to trace the links selected by you from the content of our newsletter. The information stored in Benchmark is email and clicked links. Your personal data will be stored until you unsubscribe from receiving our electronic newsletters by the Unsubscribe link. You can also write to email@example.com and express your desire to stop receiving our newsletters. There is also an option for your personal data to be “forgotten”. If you unsubscribe, your personal data will be deleted without ungrounded delay. Please note that you will no longer receive current offers and special discounts if your personal data are “forgotten”.
You can use the contact form on the home page of our website http://www.soltec.bg/ to contact us for any reason. The personal data entered by you in the contact form will be processed only for the purposes of giving reply to your request.
“Cookies” and tracking
To make your visits to our website more pleasant and to ensure the use of certain functionalities, we use “cookies” for different pages. These are small text files that are stored on the client device from which you visit our website. Some “cookies” we use are deleted after the end of the browser session i.e. after you close the browser (so called “session cookies”). Other “cookies” are stored on your client device and allow us or our partner companies to recognize your browser for future visits (“persistent cookies”). You can set your browser to inform you of the “cookies” settings and to individually decide whether to accept them or forbid acceptance of “cookies” for specific cases or in general. Additional information is available in the help section of your web browser. Rejecting “cookies” can potentially limit the functionality of our website. We will discuss specific types of “cookies” below.
There are system “cookies” and promotional “cookies”. System “cookies” are necessary for the correct functioning of our website. Rejecting these “cookies” will change user experience while surfing on our website and some of our website services will be unavailable.
Promotional “cookies” are described below. They are stored when downloading the website and help us analyze general data of our visitors – e.g. how they get to our website, how much time they spend on it, whether they visit us for the first time, how they view the content of our website as well as to calculate the degree of success of our marketing campaigns.
We use Facebook Pixel, a Facebook service. This service uses “cookies” stored on your device that allow direction of advertisement through the Facebook advertising platform to users as well as to users of Facebook partner companies, e.g. Instagram, who have already visited our website in the past 180 days. This service gives more opportunities to create generalized anonymous visitor audiences based on the content viewed on the website and to track the success of advertisement campaigns realized through the Facebook advertising platform. You will find more information in Facebook Data Policy here: https://www.facebook.com/about/privacy/. If you do not like to participate in the process of tracking, you can refuse the “cookie” setting necessary for this by using the settings of your browser and generally deactivate automatic storage of “cookies”.
We use Google Analytics, a web analysis service offered by Google LLC. The information generated by “cookies” for your use of this website is usually sent to Google servers in the USA and stored there. Google shortens beforehand your IP addresses within the member-states of the European Union or in other member-states included in the Agreement on the European Economic Area. On behalf of the operator of this website, Google uses this information to assess the use of this website, to prepare accounts for the activity of this website and for provision of other services related to the website and Internet use, to the website operator. The IP address sent through your browser in the context of Google Analytics does not connect with other data Google has available, you can refuse using “cookies” by selecting the relevant settings on your browser. You can also prevent the collection of data from Google by “cookies” and their connection to the use of this website (including IP address) as well as their processing by Google by downloading and installing plug-ins for your browser here: https://tools.google.com/dlpage/gaoptout?hl=en
Links to social media
Our websites also contain links to Facebook, YouTube and LinkedIn. In this case, transfer of data to the above social media operators is carried out only when the relevant button on the icon illustrating the link is clicked. If you click such a button, the page to the relevant social network opens. There, you can publish information on our products according to the rules of the social media operator.
You can use our official contact accounts in different social networks as well as other official public accounts of the company. Such are: our Facebook page https://www.facebook.com/Soltec-610522162443924/?ref=aymt_homepage_panel; YouTube channel https://www.youtube.com/channel/UCk58rGHBJqbJNrUahQzLC9w; LinkedIn page https://www.linkedin.com/company/soltec-eood/,etc. the personal data sent by you in personal messages will be processed only for the purpose of replying to your inquiry. We are not responsible for the information voluntarily shared by you on our official accounts without our explicit request.
V. Lawful interests of the Controller
Regarding data processing of managers and contracting parties:
Data processing is performed on the grounds of legitimate interest and in connection with entering into, existence, change and termination of commercial and civil contracts in compliance with and pursuant to the legal requirements of the Commerce Act, Social Security Code, Tax Insurance Procedures Code, Insurance Code, Income of Natural Persons Taxation Act, Accounting Act, Obligations and Contracts Act, etc.
VI. Transparency. Rights of the subjects whose data are processed by the Controller
Transparency and conditions for the exercise of the rights of subjects
The Controller presents information to the subjects in concise, transparent and easily accessible form, in clear and simple language.
The Controller makes efforts to ensure that the subjects are informed of the personal data processed by it and that they fully and completely understand and are informed of the processing in compliance with the requirements of GDPR and Bulgarian law.
The Controller presents the information to the subjects in written form or in other way, including, if relevant, by electronic means. If the subject requests so, the information may be presented orally, provided that the subject has been identified by other means.
The Controller gives the subjects free information on the activities undertaken with regard to requests to exercise their right to access, rectification, deletion, restriction of processing, portability, objections and automated decision-making, without unnecessary delay and in any case within one month after receiving the request.
If necessary, this period may be extended for another two months depending on the complexity and number of requests. The Controller shall inform the subjects of any such extension of the period within one month after receiving the request, stating the reasons for delay. If the subjects submit requests by electronic means, if possible, the information shall be presented by electronic means unless otherwise requested by the person.
If the Controller fails to act on the request, the Controller shall notify the person without delay and at the latest within one month of receipt of the request for reasons not to act and of the possibility of filing a complaint to a supervisor and seeking legal protection.
If the requests of the subject are clearly ungrounded or exaggerated, more specifically due to their repetition, the Controller can:
- Charge a reasonable fee taking into account the administrative costs for provision of information or communication or undertaking the requested activities, or
- Refuse to act on the request.
Right of access of the subjects
Any subject may receive from the Controller confirmation whether his/her personal data is being processed and if so, to receive access to the data and the following information:
- purposes of processing;
- relevant categories of personal data;
- recipients or categories of recipients to which personal data are disclosed or will be disclosed (including third countries or international organizations);
- if possible, the planned period for which the data will be stored, and if this is not possible, the criteria used to set this period;
- the existence of the right to request the Controller to rectify or delete personal data or limit the processing of personal data related to the data subjects or of the right to object against such processing;
- the right to submit a complaint to the Commission for Personal Data Protection;
- if personal data is not collected from the data subjects themselves, any available information of their source;
- existence of automated decision-making, including profiling, or at least essential information on the logic used, the significance and expected consequences from such processing for the subjects.
When personal data are transferred to a third country or to an international organization, the subjects have the right to be informed of the guarantees relevant to the transfer.
The Controller will give to the subject a copy of the personal data that are being processed. For additional copies requested by the subjects, the Controller may charge a reasonable fee according to administrative costs. Where the data subject makes the request by electronic means, if possible, the information will be provided in a widely used electronic form unless otherwise requested.
Right to rectification
Any subject whose data are processed by the Controller may request the Controller to rectify without undue delay the inaccurate personal data related to that subject. In view of the purpose of processing, the person may make additions to incomplete personal data.
Right to erasure (Right “to be forgotten”)
The data subject shall have the right to request from the controller the erasure of personal data concerning him or her without undue delay and the Controller is obliged to erase personal data without undue delay where:
- personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
- the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased for compliance with a legal obligation to which the controller is subject;
- the personal data have been collected in relation to the offer of information society services.
Where the Controller has made the personal data public and is obliged pursuant to the foregoing paragraph to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
Right to restriction of processing
The data subject whose data are processed by the Controller shall have the right to request from the Controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful but the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
- the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject
Where processing has been restricted under the foregoing paragraph, such personal data, with the exception of storage, shall only be processed with the data subject’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.
A data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is withdrawn.
Notification obligation regarding rectification or erasure of personal data or restriction of processing
The controller shall communicate any rectification, erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject so requests.
Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where (i) the processing is based on consent for specific purposes or on a contractual obligation of the data subject or on undertaking steps before entering into a contract; and (ii) the processing is carried out by automated means.
In exercising his or her right to data portability, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
Right to object
The data subject shall have the right to object at any time, on grounds relating to his or her specific situation, to processing of personal data concerning him or her (when processing is necessary for performance of tasks of public interest or exercise of official powers of the controller or processing is for the purpose of the lawful interests of the controller or third parties), including profiling. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are being processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
At the time of the first communication with the data subject, at the latest, the right referred to in the foregong paragraphs shall be explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information.
VII. Technical and organizational measures for data protection
Protection of data stored on a hard copy or on electronic media from unauthorized access, damage, loss or destruction shall be performed with a number of internally regulated technical and organizational measures.
VIII. Personal data transfer
The controller does not perform and shall not perform transfer of personal data to countries outside the European Union.
IX. Breach. Notification of breach
Breach of data security occurs when personal data for which Soltec is responsible are affected by a security accident resulting in breach of confidentiality, existence or integrity of personal data. In this sense data breach occurs in case of breach of security leading to accidental or illegal destruction, loss, change, unauthorized disclosure of data which are transmitted, stored or otherwise processed.
In case of personal data security breach, please inform immediately the personal data protection officer by using the following contact details: Soltec LTD, Kostievo vill. 4205, 1 Kapitan Burago St., E-Mail: firstname.lastname@example.org, тел. +359 32 500 425.
Assessment of breach
After the relevant Soltec employee receives information of the data breach, he or she shall assess whether that specific event is a breach of personal data and respectively inform the Controller’s managers of the event (in case they are not informed).
In case of personal data security breach resulting in possible risk for the rights and freedoms of natural persons, the Controller (through the relevant employee), without delay and if possible — not later than 72 hours after being informed of it, shall inform the Commission for Personal Data Protection of the violation.
When and as far as it is impossible to transmit information simultaneously, the information may be submitted gradually without further undue delay.
When the breach of personal data security could lead to a high risk for the rights and freedoms of natural persons the Controller shall promptly inform the subject of violation.
The Controller shall document any breach of personal data security, including the facts related to the breach, the consequences and the measures undertaken for coping with it.
Accounting and commercial information as well as any other information and documents related to taxation and compulsory tax insurance installments shall be stored by the Controller for the following periods:
- payrolls - 50 years;
- accounting registers and financial statements - 10 years;
- documents of tax insurance control - 5 years after expiry of the limitation term for payment of the public obligation to which they are related;
- all other carriers - 5 years unless the law stipulates a shorter term.
After expiry of the period of storage, information carriers (hard copy or technical) which shall not be transferred to the National Archives can be destroyed.
After expiry of the period of storage, data shall be destroyed as fast as possible by destruction of hard copies with shredding and of technical carriers-by erasure and deletion of the relevant files from Company computers.
Pursuant to this internal rules:
§ 1.”Personal data controller” is Soltec LTD, a single-member limited liability company, UIC 200683594, and activities on behalf of the controller shall be performed by a data protection officer appointed for the purpose.
§ 2. “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
§ 3.This policy is subject to approval and bringing to the attention of the persons concerned, with order of the Controller’s manager.
This policy was approved by the Manager on: 22 May 2018
This policy came into effect on: 25 May 2018